From 3cfe59727799eff88df031aa2c93f47788b8e724 Mon Sep 17 00:00:00 2001
From: Pascal Jungblut <mail@pascalj.de>
Date: Wed, 6 Nov 2024 14:53:22 +0000
Subject: [PATCH] Add MASTG-TEST-0x76-2

---
 .../ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md   |  2 +-
 .../ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md   | 31 +++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md

diff --git a/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md
index d012d16487..1732926672 100644
--- a/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md
+++ b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md
@@ -8,7 +8,7 @@ weakness: MASWE-0072
 
 ## Overview
 
-`UIWebView` was deprecated in iOS 12.0 in favor of `WKWebView` which is available since iOS 8.0. `WKWebView` offers [better control over its capabilities](../../../Document/0x06h-Testing-Platform-Interaction/#uiwebview "iOS Platform APIs: UIWebView"), e.g. it allows you to disable JavaScript with `javaScriptEnabled` and it can verify resources with the `hasOnlySecureContent`. Thus, it should be preferred over `UIWebView`.
+`UIWebView` was deprecated in iOS 12.0 in favor of `WKWebView` which is available since iOS 8.0. `WKWebView` offers [better control over its capabilities](../../../Document/0x06h-Testing-Platform-Interaction.md "iOS Platform APIs: UIWebView"), e.g. it allows you to disable JavaScript with `javaScriptEnabled` and it can verify resources with the `hasOnlySecureContent`. Thus, it should be preferred over `UIWebView`.
 
 In this test we can check any references to `UIWebView` inside the binary.
 
diff --git a/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md
new file mode 100644
index 0000000000..4058805928
--- /dev/null
+++ b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md
@@ -0,0 +1,31 @@
+---
+platform: ios
+title: JavaScript Enabled in WKWebView
+id: MASTG-TEST-0x76-2
+type: [static]
+weakness: MASWE-0070
+---
+
+## Overview
+
+[`WKWebView`](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer")offers the `javaScriptEnabled` and `allowsContentJavaScript` settings to disable all JavaScript execution. Disabling them avoids all [script injection flaws](../../../Document/0x06h-Testing-Platform-Interaction.md "iOS Platform APIs").
+
+## Steps
+
+1. Extract the app as described in @MASTG-TECH-0058.
+2. Review the code or reverse engineer the binary according to @MASTG-TECH-0076 and identify references to `WkWebView`, calls to `WkPreferences.javaScriptEnabled` and
+   `WKWebPagePreferences.allowsContentJavaScript`.
+
+## Observation
+
+The output could contain references to `WkWebView` or calls to `WkPreferences.javaScriptEnabled` and `WKWebPagePreferences.allowsContentJavaScript`.
+
+## Evaluation
+
+The test case fails if there are references to `WkWebView` and one of the following is true:
+
+- There are no references to `WkPreferences.javaScriptEnabled` or `defaultWebpagePreferences.allowsContentJavaScript`.
+- `WkPreference.javaScriptEnabled` is set to `1`.
+- `WKWebpagePreferences.allowsContentJavaScript` is set to `1`.
+
+The preferences should be set to `NO` (0), so that JavaScript is not executed in the `WkWebView` to avoid possible script injections.